Unfortunately fx doesn't let me to export CA certificate. I can only view server side certificate and export it. Also, marking the exception as permanent doesn't make fx remember this setting and I need to accept the certificate warning every time I go to a new SSL site. I tried to import the certificate that fx shows after clicking padlock icon in address bar and import it into a list of trusted CAs but fx says that it's not a CA certificate. In fx I can only see that this CA certificate is signed by the company itself, it contains its name and address but I can't export it explicitly. And when I do "openssl s_client -showcerts -connect HOSTNAME:443" it says "No client certificate CA names sent". It seems to be harder than I thought. I think that importing this CA certificate into a list of trusted CAs in fx would make all warnings be gone.
On 6/17/13, Cristian Thiago Moecke <cont...@cristiantm.com.br> wrote: > Ok, we have too much "maybe"s on an very open discussion that depends on so > many variables... My intention is not to enter on a long discussion on > security policies, I dont think the author of the first email is the > network manager or the one that will deal with changing security policies, > he only wants to get rid of some warnings, and therefore I would recommend > him to keep with the most safe option, that is: only trust the CA for what > you know it is made for, that is, trusting that specific site. You can do > that by adding a permanent exception. > > But ok, I also would recomend that you talk with the network admins to > clarify on how much trust should be put on the CA, how they want to deal > with trust in the internal network, and so on. Maybe they will want to > discuss it with us. > > But for our friend, the user, I would still recommend not messing with > trust anchors more than needed. Let someone that knows what is going on > there decide what to do. > > > > On Mon, Jun 17, 2013 at 1:43 PM, Salz, Rich <rs...@akamai.com> wrote: > >> **Ø **because from a workstation people may access external websites >> too. Like banks**** >> >> ** ** >> >> And perhaps they shouldn’t. Have you seen the size of the built-in >> browser CA trust lists recently?**** >> >> ** ** >> >> And really, which is more likely: an in-house CA leads you astray, or you >> bring some external malware from the Internet into the company?**** >> >> ** ** >> >> /r$**** >> >> -- **** >> >> Principal Security Engineer**** >> >> Akamai Technology**** >> >> Cambridge, MA**** >> > > > > -- > -- > Cristian Thiago Moecke > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
